RTR RIEXSSEK 


BULKE T ARE RIERIXSS, BME https://www.youtube.com/watch?v=gVrdE6g fa8, XM 
MAMA T ZAR, AS Mk NSR, LAE RIR ESSENS. 


DNRRAI ÆRE parser bug SÆ. 


{aJ7Jparser bugs 





parser bugs JERE RTE FRA FMRI PEMBIbus. EX pase, SR ampare Svar 
parserAY Kal. 


ERE https://t.zsxg.com/biieAAA XM AF ERKI: 





<!DOCTYPE 
<html> 
<head> 
<meta = 
<title></title> 
</head> 
<body> 
<title><img 
</body> 
</html> 





test"> 


Eae PAE MEE, IX NRERNAI </title><s>test</s> ZimginsshsrcBett, SKE RAINE 
ERARE, MRAKERHAR, ERE <s>test</s> MERK S NT. 


XEHAAparser bug, frøtBesHAIhtmI parser Si bi sg parser ME, tease Aa <s> HAITERA 
BEER HEER, XSS. 


js html parser api 


AX PEGE, mk TE HE bug, MEjs html parser api 5A EparserfI KE, ESj sAdomEBÆæ 
MEST, Sin ENEBEAPPEØRE, PABA RE ES). 


js PE HP LAMI parser api? 


1. FYÆtemplatert& 


hwWN 


var template = document.createElement('template') 
template.innerHTML = '<img src=1 onerror=alert(1)>' 
template.content.children 
template.content.children[0] 


2. FY|HDOMParser NG: 


https://developer.mozilla.org/en-US/docs/Web/API/DOMParser 


il 
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parser = new DOMParser(); 
doc = parser.parseFromstring(stringcontainingHTMLSource, "text/html"); 


3. FIĦ DomImplementation.createHTMLDocument O Dì% 


20 
21 


function makeDocument() { 
var frame = document.getElementById("theFrame") ; 


var doc = document.implementation. createHTMLDocument ("New Document"); 
var p = doc.createElement("p"); 
p-innerHTML = "This is a new paragraph."; 


try i 

doc. body.appendchi ld(p) ; 
} catch(e) I 

console. log(e); 


// Copy the new HTML document into the frame 
var destDocument = frame.contentDocument; 
var srcNode = doc.documentElement; 


var newNode = destDocument.importNode(srcNode, true); 


destDocument.replacechild(newNode, destDocument.documentElement); 


mkøæS SSA, fuzz 7 Weszsdomis® (føRiframe) 5 KÅRE Njs parserW#F: 


vulnerabledoma.in 





xmp + xmp 





aaa<xmp>bbb 


ccc 


firefox 
math + blockquote 


jsapi : <html><head></head><body><math>aaa<blockquote>bbb</blockquote>ccc</math></body></html> 
iframe: <html><head></head><body><math>aaa</math><blockquote>bbb</blockquote>ccc</body></html> 


math + body 
jsapi : <html><head></head><body><math>aaa<body>bbb</body>ccc</math></body></html> 
iframe: <html><head></head><body><math>aaa</math>bbbccc</body></html> 


math + br 
jsapi : <html><head></head><body><math>aaa<br>bbb</br>ccc</math></body></html> 
iframe: <html><head></head><body><math>aaa</math><br>bbb<br>ccc</body></html> 


math + div 
jsapi : <html><head></head><bo 
iframe: <html><head></head>4 







Interestingly if you run this in firefox you 
will find that math and the svg element parse 





math + embed 


Pbl 4) 529/1003 
MAHLER, BASSES A. 
chromef noscript, noembedinStak SÆR, firefox% 7 mathøllsvgire. 


BE, tRRÆRIRNOscriptkrs, RUTERNE, BET mass. 
SEE 





MAN REM LOEB RBNETT, URET, FARBAS UA CEARA. KERREN FRAY 
— tb ÆRE 


IV UNO 
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© he SCH SEB REE https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-searc 


. IEA HAI —Muzz Sao Azhttps://gist.github.com/LiveOverflow/dd3d09d17c8fc0460c7e9a337b5 
01331 


